The default configuration lets a user run every system command

Bug #540934 reported by Luke Faraone on 2010-03-18
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lshell (Debian)
Fix Released
Unknown
lshell (Ubuntu)
High
Luke Faraone

Bug Description

Binary package hint: lshell

Forwarded from Debian: "In example I can run "echo $(/bin/sh)" or "echo $(/bin/su)", or every other command."

Related branches

Luke Faraone (lfaraone) on 2010-03-18
visibility: private → public
Changed in lshell (Ubuntu):
assignee: nobody → Luke Faraone (lfaraone)
MarcRandolph (mrand) on 2010-03-18
Changed in lshell (Ubuntu):
importance: Undecided → High
status: New → Triaged
Changed in lshell (Debian):
status: Unknown → Fix Released
Benjamin Drung (bdrung) wrote :

unsubscribing ubuntu-sponsors, please resubscribe once you have addressed the points mentioned in the merge request

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lshell - 0.9.8-1ubuntu1

---------------
lshell (0.9.8-1ubuntu1) lucid; urgency=low

  * Add additional patterns to the forbidden characters list, per Debian bug
    572144. (LP: #540934)
  * Update Maintainer field.
 -- Luke Faraone <email address hidden> Sat, 03 Apr 2010 16:30:16 -0400

Changed in lshell (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.